search

hats-finance / Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0

Proof of Humanity Protocol v2
2 stars 1 forks source link

Data length is not validated #31

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: @sonny2k Twitter username: -- Submission hash (on-chain): 0x2862d205c8d62d8f17f4c18ed12aa0929a8e78ab7b0bd49a84cacae5b34208e4 Severity: low

Description: Description\ The following functions do not validate that the input _data is 32 bytes.

AMBBridgeGateway.sol.sendMessage()

Attack Scenario\ The input _data contains the outbound Merkle root or aggregated Merkle root, which is always 32 bytes. If the root is not 32 bytes, it is invalid and should be rejected.

Recommendation\ Consider validating the input _data to ensure that it is 32 bytes.

    function sendMessage(bytes memory _data) external override {
+     require(_data.length == 32, "!length");
       require(msg.sender == homeProxy, "!homeProxy");
       amb.requireToPassMessage(foreignGateway, abi.encodeCall(this.receiveMessage, (_data)), amb.maxGasPerTx());
    }
clesaege commented 2 months ago

I couldn't make sense of this report. What is the link with a Merkle root? Why would the data need to be 32 bytes?

The function sendMessage is called by CrossChainProofOfHumanity.sol there and there. So those messages are of a fixed length send by a contract which is defined.